Professional Documents
Culture Documents
TRAINING REPORT
On
B.TECH
ELECTRONICS & COMMUNICATION ENGINEERING
To
SUBMITTED TO:
SUBMITTED BY:
Vishav Verma
Desg: Head of
Department(Electronics)
ACKNOWLEDGEMENT
It is our pleasure to be indebted to various people, who
directly or indirectly contributed in the development of this
work and who influenced my thinking, behaviour and acts
during the course of study.
We express our sincere gratitude to PRINCIPAL worthy
Principal for providing me an opportunity to undergo Technical
Training as the part of the curriculum.
We are thankful to Mr.Lokesh
Lastly, we would like to thank the almighty and our parents for
their moral support and friends with whom we shared our dayto day experience and received lots of suggestions that
improves our quality of work.
Vishav Verma
B.Tech(ECE)
4713309
7th Semester
CANDIDATES DECLARATION
I Vishav Verma bearing Roll No. 4713309, B.Tech
(Semester-7th)
of
the
ICL
Institute
of
Engineering
&
Vishav Verma
Place:
Date:
CONTENTS
Introduction(networking)
OSI and TCP/IP model
Routers and Routing protocols
Switch and Switching
LAN
WAN
Wireless Router
VLAN
ACLs
Network configuration steps
INTRODUCTION
In the world of computers, networking is the practice of interfacing two or more computing
devices with each other for the purpose of sharing data. Computer networks are built with a
combination of hardware and software.
Area Networks
Computer networks can be categorized in several different ways. One approach defines the
type of network according to the geographic area it spans.
Local area networks (LANs), for example, typically span a single home, school, or small
office building, whereas wide area networks (WANs), reach across cities, states, or even
across the world. The Internet is the world's largest public WAN.
Network Design
Computer networks also differ in their design approach. The two basic forms of network
design are called client/server and peer-to-peer. Client-server networks feature
centralized server computers that store email, Web pages, files and or applications. On a
peer-to-peer network, conversely, all computers tend to support the same functions. Clientserver networks are much more common in business and peer-to-peer networks much more
common in homes.
A network topology represents its layout or structure from the point of view of data flow. In
so-called bus networks, for example, all of the computers share and communicate across
one common conduit, whereas in a star network, all data flows through one centralized
device.
Common types of network topologies include bus, star, ring networks and mesh networks.
Network Protocols
6
Networks often implement multiple protocols with each supporting specific applications.
Popular protocols include TCP/IP, the most common protocol found on the Internet and in
home networks.
Whether its wired or wireless, most data communications today happens by way of packets
of information travelling over one or more networks. But before these networks can work
together, though, they must use a common protocol, or a set of rules for transmitting and
receiving these packets of data. Many protocols have been developed. One of the most
widely used is the Transmission Control Protocol/Internet Protocol (TCP/IP). Also, a generic
protocol model used in describing network communications known as the Open System
Interconnection (OSI) model is useful for comparing and contrasting different protocols.
7
computers communicate with one another over a network. Its seven-layered approach to
data transmission divides the many operations up into specific related groups of actions at
each layer (Fig. 1).
1. In the OSI model, data flows down the transmit layers, over the physical link, and
then up through the receive layers.
The transmitting computer software gives the data to be transmitted to the applications layer,
where it is processed and passed from layer to layer down the stack with each layer
performing its designated functions. The data is then transmitted over the physical layer of
the network until the destination computer or another device receives it. At this point the data
8
is passed up through the layers again, each layer performing its assigned operations until
the data is used by the receiving computers software.
During transmission, each layer adds a header to the data that directs and indentifies the
packet. This process is called encapsulation. The header and data together form the data
packet for the next layer that, in turn, adds its header and so on. The combined
encapsulated packet is then transmitted and received. The receiving computer reverses the
process, de-encapsulating the data at each layer with the header information directing the
operations. Then, the application finally uses the data. The process is continued until all data
is transmitted and received.
All of the necessary and desirable operations required are grouped together in a logical
sequence at each of the layers. Each layer is responsible for specific functions:
Layer 7 application: This layer works with the application software to provide
communications functions as required. It verifies the availability of a communications partner
and the resources to support any data transfer. It also works with end applications such as
domain name service (DNS), file transfer protocol (FTP), hypertext transfer protocol (HTTP),
Internet message access protocol (IMAP), post office protocol (POP), simple mail transfer
protocol (SMTP), Telenet, and terminal emulation.
Layer 6 presentation: This layer checks the data to ensure that it is compatible with the
communications resources. It ensures compatibility between the data formats at the
applications level and the lower levels. It also handles any needed data formatting or code
conversion, as well as data compression and encryption.
Layer 5 session: Layer 5 software handles authentication and authorization functions. It
also manages the connection between the two communicating devices, establishing a
connection, maintaining the connection, and ultimately terminating it. This layer verifies that
the data is delivered as well.
9
Layer 4 transport: This layer provides quality of service (QoS) functions and ensures the
complete delivery of the data. The integrity of the data is guaranteed at this layer via error
correction and similar functions.
Layer 3 network: The network layer handles packet routing via logical addressing and
switching functions.
Layer 2 data link: Layer 2 operations package and unpack the data in frames.
Layer 1 physical: This layer defines the logic levels, data rate, physical media, and data
conversion functions that make up the bit stream of packets from one device to another.
There are two key points to make about the OSI model. First, the OSI model is just that, a
model. Its use is not mandated for networking, yet most protocols and systems adhere to it
quite closely. It is mainly useful for discussing, describing, and understanding individual
network functions.
Second, not all layers are used in some simpler applications. While layers 1, 2, and 3 are
mandatory for any data transmission, the application may use some unique interface layer to
the application instead of the usual upper layers of the model.
TCP/IP:
TCP/IP was developed during the 1960s as part of the Department of Defenses (DoD)
Advanced Research Projects Agency (ARPA) effort to build a nationwide packet data
network. It was first used in UNIX-based computers in universities and government
installations. Today, it is the main protocol used in all Internet operations.
10
TCP/IP also is a layered protocol but does not use all of the OSI layers, though the layers
are equivalent in operation and function (Fig. 2). The network access layer is equivalent to
OSI layers 1 and 2. The Internet Protocol layer is comparable to layer 3 in the OSI model.
The host-to-host layer is equivalent to OSI layer 4. These are the TCP and UDP (user
datagram protocol) functions. Finally, the application layer is similar to OSI layers 5, 6, and 7
combined.
2. The seven layers of the OSI model somewhat correspond with the four layers that
make up the TCP/IP protocol.
The TCP layer packages the data into packets. A header thats added to the data includes
source and destination addresses, a sequence number, an acknowledgment number, a
check sum for error detection and correction, and some other information (Fig. 3). The
11
header is 20 octets (octet = 8 bits) grouped in 32-bit increments. These bits are transmitted
from left to right and top to bottom.
3. The header is added and then removed during the encapsulation and deencapsulation of the packet data at the TCP layer.
At the receiving end of the link, TCP reassembles the packets in the correct order and routes
them up the stack to the application. TCP can retransmit a packet if an error occurs. In any
case, TCPs main job is just to pack and unpack the data and provide some assurance of the
reliable transmission of error-free data. The IP layer actually transmits the TCP packet.
12
The IP layer transmits the data over the physical-layer connection. IP adds its own header to
the packet (Fig. 4). The header comprises 32 octets again grouped in 32-bit words. Note the
32-bit source and destination addresses. These are the well-known IP addresses that we
see in dotted decimal format (e.g., 197.45.204.36) where each 8-bit octet is expressed in its
decimal value. This is the address assigned to the device by the Internet Assigned Numbers
13
Authority (IANA).
14
4. The IPv4 header is used during the Internet Protocol process in data transmission.
Note the 32-bit source and destination addresses.
The header in Figure 4 is that used in IP version 4 (IPv4). Since the IANA has run out of 32bit addresses (232 of them!), a newer version is rapidly being adopted. IPv6 uses 128-bit
addresses (Fig. 5). With 2128 addresses, there should be enough for all of the planets
computers, tablets, and smart phones as well as all of the devices that may be connected to
form the so-called Internet of Things (IoT).
15
5. The new IPv6 header for the Internet Protocol is similar to IPv4 but uses 128-bit
source and destination addresses.
Once the IP header is added to the data, it is transferred to the Network Access layer. This
layer repackages the data again into Ethernet packets or some other protocol for final
physical transmission. The Ethernet packets are then reconfigured again for transmission
over a DSL or cable TV connection or over a wide-area network using Sonet or optical
transport network (OTN).
16
Note: The ARPANET was developed by Advanced Research Projects Agency (ARPA) of the
United States Department of Defense. The ARPANET was the world's first operational
packet switching network and the predecessor of today's Internet.
Routers have many of the same hardware and software components that are found in other
computers including:
CPU
RAM
ROM
Operating System
A router connects multiple networks. This means that it has multiple interfaces that
each belong to a different IP network. When a router receives an IP packet on one interface,
it determines which interface to use to forward the packet onto its destination. The interface
that the router uses to forward the packet may be the network of the final destination of the
packet (the network with the destination IP address of this packet), or it may be a network
connected to another router that is used to reach the destination network.
17
Each network that a router connects to typically requires a separate interface. These
interfaces are used to connect a combination of both Local Area Networks (LANs) and Wide
Area Networks (WANs). LANs are commonly Ethernet networks that contain devices such
as PCs, printers, and servers. WANs are used to connect networks over a large
geographical area. For example, a WAN connection is commonly used to connect a LAN to
the Internet Service Provider (ISP) network.
The primary responsibility of a router is to direct packets destined for local and remote
networks by:
Determining the best path to send packets
Forwarding packets toward their destination
The router uses its routing table to determine the best path to forward the packet. When the
router receives a packet, it examines its destination IP address and searches for the best
match with a network address in the router's routing table. The routing table also includes
the interface to be used to forward the packet. Once a match is found, the router
encapsulates the IP packet into the data link frame of the outgoing or exit interface, and the
packet is then forwarded toward its destination.
18
ROUTING PROTOCOLS
Static Routing
Remote networks are added to the routing table either by configuring static routes or
enabling a dynamic routing protocol. When the IOS learns about a remote network and the
interface that it will use to reach that network, it adds that route to the routing table as long
as the exit interface is enabled.
A static route includes the network address and subnet mask of the remote network, along
with the IP address of the next-hop router or exit interface. Static routes are denoted with the
code S in the routing table as shown in the figure. Static routes are examined in detail in the
next chapter.
When to Use Static Routes
Static routes should be used in the following cases:
A network consists of only a few routers. Using a dynamic routing protocol in such a case
does not present any substantial benefit. On the contrary, dynamic routing may add more
administrative overhead.
A network is connected to the Internet only through a single ISP. There is no need to use a
dynamic routing protocol across this link because the ISP represents the only exit point to
the Internet.
A large network is configured in a hub-and-spoke topology. A hub-and-spoke topology
consists of a central location (the hub) and multiple branch locations (spokes), with each
spoke having only one connection to the hub. Using dynamic routing would be unnecessary
because each branch has only one path to a given destination-through the central location.
19
Typically, most routing tables contain a combination of static routes and dynamic routes. But,
as stated earlier, the routing table must first contain the directly connected networks used to
access these remote networks before any static or dynamic routing can be used.
20
21
22
23
Note: IS-IS and BGP are beyond the scope of this course and are covered in the CCNP
curriculum.re administrator knowledge is required for configuration, verification, and
troubleshooting.
24
SWITCH:
A network switch (also called switching hub, bridging hub, officially MAC bridge[1]) is
a computer networking device that connects devices together on a computer network, by
using packet switching to receive, process and forward data to the destination device. Unlike
less advanced network hubs, a network switch forwards data only to one or multiple devices
that need to receive it, rather than broadcasting the same data out of each of its ports.[2]
A network switch is a multiport network bridge that uses hardware addresses to process and
forward data at the data link layer (layer 2) of the OSI model. Switches can also process
data at the network layer (layer 3) by additionally incorporating routing functionality that most
commonly uses IP addresses to perform packet forwarding; such switches are commonly
known as layer-3 switches or multilayer switches.[3] Beside most commonly
used Ethernet switches, they exist for various types of networks, including Fibre
Channel, Asynchronous Transfer Mode, and InfiniBand. The first Ethernet switch was
introduced by Kalpana in 1990.
SWITCHING
LAN switching is a form of packet switching used in local area networks (LAN). Switching
technologies are crucial to network design, as they allow traffic to be sent only where it is
needed in most cases, using fast, hardware-based methods. LAN switching uses different
kinds of network switches. Basic switch is marked as layer 2 switch and could be found in
nearly all LAN around. Layer 3 or layer 4 switch requires advanced technology
(see managed switch) and are more expensive, and thus could be found in larger LAN or in
the special network environment.
25
LAYER 2 SWITCHING
Layer 2 switching uses the media access control address (MAC address) from the
host's network interface cards (NICs) to decide where to forward frames. Layer 2 switching
is hardware-based,[1] which means switches use application-specific integrated
circuit (ASICs) to build and maintain filter tables (also known as MAC address tables or CAM
tables). One way to think of a layer 2 switch is as a multiport bridge.
Layer 2 switching provides the following
Wire speed
High speed
Low latency
Layer 2 switching is highly efficient because there is no modification to the data packet, only
to the frame encapsulation of the packet, and only when the data packet is passing through
dissimilar media (such as from Ethernet to FDDI). Layer 2 switching is used for workgroup
connectivity and network segmentation (breaking up collision domains). This allows a flatter
network design with more network segments than traditional 10BaseT shared networks.
Layer 2 switching has helped develop new components in the network infrastructure.
26
These new technologies allow more data to flow off from local subnets and onto a routed
network, where a router's performance can become the bottleneck.
Limitations
Layer 2 switches have the same limitations as bridge networks. Bridges are good if a
network is designed by the 80/20 rule: users spend 80 percent of their time on their local
segment.
Bridged networks break up collision domains, but the network remains one large broadcast
domain. Similarly, layer 2 switches (bridges) cannot break up broadcast domains, which can
cause performance issues and limits the size of your network. Broadcast and multicasts,
along with the slow convergence of spanning tree, can cause major problems as the network
grows. Because of these problems, layer 2 switches cannot completely replace routers in the
internetwork.
27
LAN
For the small- and medium-sized business, communicating digitally using data, voice, and
video is critical to business survival. Consequently, a properly designed LAN is a
fundamental requirement for doing business today. You must be able to recognize a welldesigned LAN and select the appropriate devices to support the network specifications of a
small- or medium-sized business.
A local area network (LAN) is a computer network that interconnects computers within a
limited area such as a residence, school, laboratory, or office building.[1] A local area network
is contrasted in principle to a wide area network (WAN), which covers a larger geographic
distance and may involve leased telecommunication circuits, while the media for LANs are
locally managed.
Ethernet over twisted pair cabling and Wi-Fi are the two most common transmission
technologies in use for local area networks. Historical technologies includeARCNET, Token
Ring, and AppleTalk.
28
Access Layer
The access layer interfaces with end devices, such as PCs, printers, and IP phones, to
provide access to the rest of the network. The access layer can include routers, switches,
bridges, hubs, and wireless access points (AP). The main purpose of the access layer is to
provide a means of connecting devices to the network and controlling which devices are
allowed to communicate on the network.
Distribution Layer
The distribution layer aggregates the data received from the access layer switches before it
is transmitted to the core layer for routing to its final destination. The distribution layer
controls the flow of network traffic using policies and delineates broadcast domains by
performing routing functions between virtual LANs (VLANs) defined at the access layer.
VLANs allow you to segment the traffic on a switch into separate subnetworks. For example,
in a university you might separate traffic according to faculty, students, and guests.
Distribution layer switches are typically high-performance devices that have high availability
29
and redundancy to ensure reliability. You will learn more about VLANs, broadcast domains,
and inter-VLAN routing later in this course.
Core Layer
The core layer of the hierarchical design is the high-speed backbone of the internetwork.
The core layer is critical for interconnectivity between distribution layer devices, so it is
important for the core to be highly available and redundant. The core area can also connect
to Internet resources. The core aggregates the traffic from all the distribution layer devices,
so it must be capable of forwarding large amounts of data quickly.
Note: In smaller networks, it is not unusual to implement a collapsed core model, where the
distribution layer and core layer are combined into one layer.
30
As a network grows, availability becomes more important. You can dramatically increase
availability through easy redundant implementations with hierarchical networks. Access layer
switches are connected to two different distribution layer switches to ensure path
redundancy. If one of the distribution layer switches fails, the access layer switch can switch
to the other distribution layer switch. Additionally, distribution layer switches are connected to
two or more core layer switches to ensure path availability if a core switch fails. The only
layer where redundancy is limited is at the access layer. Typically, end node devices, such
as PCs, printers, and IP phones, do not have the ability to connect to multiple access layer
switches for redundancy. If an access layer switch fails, just the devices connected to that
one switch would be affected by the outage. The rest of the network would continue to
function unaffected.
Performance
Communication performance is enhanced by avoiding the transmission of data through lowperforming, intermediary switches. Data is sent through aggregated switch port links from
the access layer to the distribution layer at near wire speed in most cases. The distribution
layer then uses its high performance switching capabilities to forward the traffic up to the
core, where it is routed to its final destination. Because the core and distribution layers
perform their operations at very high speeds, there is no contention for network bandwidth.
As a result, properly designed hierarchical networks can achieve near wire speed between
all devices.
Security
Security is improved and easier to manage. Access layer switches can be configured with
various port security options that provide control over which devices are allowed to connect
to the network. You also have the flexibility to use more advanced security policies at the
distribution layer. You may apply access control policies that define which communication
protocols are deployed on your network and where they are permitted to go. For example, if
you want to limit the use of HTTP to a specific user community connected at the access
31
layer, you could apply a policy that blocks HTTP traffic at the distribution layer. Restricting
traffic based on higher layer protocols, such as IP and HTTP, requires that your switches are
able to process policies at that layer. Some access layer switches support Layer 3
functionality, but it is usually the job of the distribution layer switches to process Layer 3
data, because they can process it much more efficiently.
Manageability
Manageability is relatively simple on a hierarchical network. Each layer of the hierarchical
design performs specific functions that are consistent throughout that layer. Therefore, if you
need to change the functionality of an access layer switch, you could repeat that change
across all access layer switches in the network because they presumably perform the same
functions at their layer. Deployment of new switches is also simplified because switch
configurations can be copied between devices with very few modifications. Consistency
between the switches at each layer allows for rapid recovery and simplified troubleshooting.
In some special situations, there could be configuration inconsistencies between devices, so
you should ensure that configurations are well documented so that you can compare them
before deployment.
Maintainability
Because hierarchical networks are modular in nature and scale very easily, they are easy to
maintain. With other network topology designs, manageability becomes increasingly
complicated as the network grows. Also, in some network design models, there is a finite
limit to how large the network can grow before it becomes too complicated and expensive to
maintain. In the hierarchical design model, switch functions are defined at each layer,
making the selection of the correct switch easier. Adding switches to one layer does not
necessarily mean there will not be a bottleneck or other limitation at another layer. For a full
mesh network topology to achieve maximum performance, all switches need to be highperformance switches, because each switch needs to be capable of performing all the
functions on the network. In the hierarchical model, switch functions are different at each
32
layer. You can save money by using less expensive access layer switches at the lowest
layer, and spend more on the distribution and core layer switches to achieve high
performance on the network.
33
Bandwidth Aggregation
Each layer in the hierarchical network model is a possible candidate for bandwidth
aggregation. Bandwidth aggregation is the practice of considering the specific bandwidth
requirements of each part of the hierarchy. After bandwidth requirements of the network are
known, links between specific switches can be aggregated, which is called link aggregation.
Link aggregation allows multiple switch port links to be combined so as to achieve higher
throughput between switches. Cisco has a proprietary link aggregation technology called
EtherChannel, which allows multiple Ethernet links to be consolidated. A discussion of
EtherChannel is beyond the scope of this course. To learn more, visit:
http://www.cisco.com/en/US/tech/tk389/tk213/tsd_technology_support_protocol_home.html.
Redundancy
Redundancy is one part of creating a highly available network. Redundancy can be provided
in a number of ways. For example, you can double up the network connections between
devices, or you can double the devices themselves. This chapter explores how to employ
redundant network paths between switches. A discussion on doubling up network devices
and employing special network protocols to ensure high availability is beyond the scope of
this course. For an interesting discussion on high availability, visit:
http://www.cisco.com/en/US/products/ps6550/products_ios_technology_home.html.
Implementing redundant links can be expensive. Imagine if every switch in each layer of the
network hierarchy had a connection to every switch at the next layer. It is unlikely that you
will be able to implement redundancy at the access layer because of the cost and limited
features in the end devices, but you can build redundancy into the distribution and core
layers of the network.
34
Some network failure scenarios can never be prevented, for example, if the power goes out
in the entire city, or the entire building is demolished because of an earthquake. Redundancy
does not attempt to address these types of disasters. To learn more about how a business
can continue to work and recover from a disaster, visit:
http://www.cisco.com/en/US/netsol/ns516/networking_solutions_package.html.
35
WAN
36
WANs do not just necessarily connect physically disparate LANs. A CAN, for example, may
have a localised backbone of a WAN technology, which connects different LANs within a
campus. This could be to facilitate higher bandwidth applications, or provide better
functionality for users in the CAN.
WANs are used to connect LANs and other types of networks together, so that users and
computers in one location can communicate with users and computers in other locations.
Many WANs are built for one particular organization and are private. Others, built by Internet
service providers, provide connections from an organization's LAN to the Internet. WANs are
often built using leased lines. At each end of the leased line, a router connects the LAN on
one side with a second router within the LAN on the other. Leased lines can be very
expensive. Instead of using leased lines, WANs can also be built using less costly circuit
switching or packet switching methods. Network protocols includingTCP/IP deliver transport
and addressing functions. Protocols including Packet over
SONET/SDH, MPLS, ATM and Frame Relay are often used by service providers to deliver
the links that are used in WANs. X.25 was an important early WAN protocol, and is often
considered to be the "grandfather" of Frame Relay as many of the underlying protocols and
functions of X.25 are still in use today (with upgrades) by Frame Relay.
Academic research into wide area networks can be broken down into three
areas: mathematical models, network emulation and network simulation.
Performance improvements are sometimes delivered via wide area file services or WAN
optimization.
Connection Technology
Many technologies are available for wide area network links. Examples include circuit
switched telephone lines, radio wave transmission, and optic fiber. New developments in
technologies have successively increased transmission rates. In ca. 1960, a 110 bit/s (bits
37
per second) line was normal on the edge of the WAN, while core links of 56 kbit/s to 64 kbit/s
were considered fast. As of 2014, households are connected to the Internet
with ADSL, Cable, Wimax, 4G or fiber at speeds ranging from 1 Mbit/s to 1 Gbit/s and the
connections in the core of a WAN can range from 1 Gbit/s to 100 Gbit/s.
Wireless Router
Wireless routers perform the role of access point, Ethernet switch, and router. For example,
the Linksys WRT300N used is really three devices in one box. First, there is the wireless
access point, which performs the typical functions of an access point. A built-in four-port, fullduplex, 10/100 switch provides connectivity to wired devices. Finally, the router function
provides a gateway for connecting to other network infrastructures.
The WRT300N is most commonly used as a small business or residential wireless access
device. The expected load on the device is low enough that it should be able to manage the
provision of WLAN, 802.3 Ethernet, and connect to an ISP.
38
before transmitting. When a Linksys access point is configured to allow both 802.11b and
802.11g clients, it is operating in mixed mode.
For an access point to support 802.11a as well as 802.11b and g, it must have a second
radio to operate in the different RF band.
A shared service set identifier (SSID) is a unique identifier that client devices use to
distinguish between multiple wireless networks in the same vicinity. Several access points on
a network can share an SSID. The figure shows an example of SSIDs distinguishing
between WLANs, each which can be any alphanumeric, case-sensitive entry from 2 to 32
characters long.
The IEEE 802.11 standard establishes the channelization scheme for the use of the
unlicensed ISM RF bands in WLANs. The 2.4 GHz band is broken down into 11 channels for
North America and 13 channels for Europe. These channels have a center frequency
separation of only 5 MHz and an overall channel bandwidth (or frequency occupation) of 22
MHz. The 22 MHz channel bandwidth combined with the 5 MHz separation between center
frequencies means there is an overlap between successive channels. Best practices for
WLANs that require multiple access points are set to use non-overlapping channels. If there
are three adjacent access points, use channels 1, 6, and 11. If there are just two, select any
two that are five channels apart, such as channels 5 and 10. Many access points can
automatically select a channel based on adjacent channel use. Some products continuously
monitor the radio space to adjust the channel settings dynamically in response to
environmental changes.
802.11 Topologies
39
Wireless LANs can accommodate various network topologies. When describing these
topologies, the fundamental building block of the IEEE 802.11 WLAN architecture is the
basic service set (BSS). The standard defines a BSS as a group of stations that
communicate with each other.
Ad hoc Networks
Wireless networks can operate without access points; this is called an ad hoc topology.
Client stations which are configured to operate in ad hoc mode configure the wireless
parameters between themselves. The IEEE 802.11 standard refers to an ad hoc network as
an independent BSS (IBSS).
Basic Service Sets
Access points provide an infrastructure that adds services and improves the range for
clients. A single access point in infrastructure mode manages the wireless parameters and
the topology is simply a BSS. The coverage area for both an IBSS and a BSS is the basic
service area (BSA).
Extended Service Sets
When a single BSS provides insufficient RF coverage, one or more can be joined through a
common distribution system into an extended service set (ESS). In an ESS, one BSS is
differentiated from another by the BSS identifier (BSSID), which is the MAC address of the
access point serving the BSS. The coverage area is the extended service area (ESA).
Common Distribution System
40
The common distribution system allows multiple access points in an ESS to appear to be a
single BSS. An ESS generally includes a common SSID to allow a user to roam from access
point to access point.
Cells represent the coverage area provided by a single channel. An ESS should have 10 to
15 percent overlap between cells in an extended service area. With a 15 percent overlap
between cells, an SSID, and non-overlapping channels (one cell on channel 1 and the other
on channel 6), roaming capability can be created.
VLAN
A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and
subnets to exist on the same switched network. The figure shows a network with three
computers. For computers to communicate on the same VLAN, each must have an IP
address and a subnet mask that is consistent for that VLAN. The switch has to be configured
with the VLAN and each port in the VLAN must be assigned to the VLAN. A switch port with
a singular VLAN configured on it is called an access port. Remember, just because two
computers are physically connected to the same switch does not mean that they can
communicate. Devices on two separate networks and subnets must communicate via a
router (Layer 3), whether or not VLANs are used. You do not need VLANs to have multiple
networks and subnets on a switched network, but there are definite advantages to using
VLANs.
Benefits of a VLAN
User productivity and network adaptability are key drivers for business growth and success.
Implementing VLAN technology enables a network to more flexibly support business goals.
The primary benefits of using VLANs are as follows:
41
1. Security - Groups that have sensitive data are separated from the rest of the network,
decreasing the chances of confidential information breaches. Faculty computers are on
VLAN 10 and completely separated from student and guest data traffic.
2. Cost reduction - Cost savings result from less need for expensive network upgrades and
more efficient use of existing bandwidth and uplinks.
3. Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups
(broadcast domains) reduces unnecessary traffic on the network and boosts
performance.
4. Broadcast storm mitigation - Dividing a network into VLANs reduces the number of
devices that may participate in a broadcast storm. As discussed in the "Configure a
Switch" chapter, LAN segmentation prevents a broadcast storm from propagating to the
whole network. In the figure you can see that although there are six computers on this
network, there are only three broadcast domains: Faculty, Student, and Guest.
5. Improved IT staff efficiency - VLANs make it easier to manage the network because users
with similar network requirements share the same VLAN. When you provision a new
switch, all the policies and procedures already configured for the particular VLAN are
implemented when the ports are assigned. It is also easy for the IT staff to identify the
function of a VLAN by giving it an appropriate name. In the figure, for easy identification
VLAN 20 has been named "Student", VLAN 10 could be named "Faculty", and VLAN 30
"Guest."
6. Simpler project or application management - VLANs aggregate users and network
devices to support business or geographic requirements. Having separate functions
makes managing a project or working with a specialized application easier, for example,
an e-learning development platform for faculty. It is also easier to determine the scope of
the effects of upgrading network services.
VLAN ID Ranges
42
Access VLANs are divided into either a normal range or an extended range.
Normal Range VLANs
Used in small- and medium-sized business and enterprise networks.
Identified by a VLAN ID between 1 and 1005.
IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
IDs 1 and 1002 to 1005 are automatically created and cannot be removed. You will learn
more about VLAN 1 later in this chapter.
Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is
located in the flash memory of the switch.
The VLAN trunking protocol (VTP), which helps manage VLAN configurations between
switches, can only learn normal range VLANs and stores them in the VLAN database file.
43
Types of VLAN
Today there is essentially one way of implementing VLANs - port-based VLANs. A portbased VLAN is associated with a port called an access VLAN.
However in the network there are a number of terms for VLANs. Some terms define the type
of network traffic they carry and others define a specific function a VLAN performs. The
following describes common VLAN terminology:
Data VLAN
A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could
carry voice-based traffic or traffic used to manage the switch, but this traffic would not be
part of a data VLAN. It is common practice to separate voice and management traffic from
data traffic. The importance of separating user data from switch management control data
and voice traffic is highlighted by the use of a special term used to identify VLANs that only
carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.
Default VLAN
All switch ports become a member of the default VLAN after the initial boot up of the
switch. Having all the switch ports participate in the default VLAN makes them all part of the
same broadcast domain. This allows any device connected to any switch port to
communicate with other devices on other switch ports. The default VLAN for Cisco switches
is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and
you can not delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic,
will always be associated with VLAN 1 - this cannot be changed. In the figure, VLAN 1 traffic
44
is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security
best practice to change the default VLAN to a VLAN other than VLAN 1; this entails
configuring all the ports on the switch to be associated with a default VLAN other than VLAN
1. VLAN trunks support the transmission of traffic from more than one VLAN. Although VLAN
trunks are mentioned throughout this section, they are explained in the next section on
VLAN trunking.
Note: Some network administrators use the term "default VLAN" to mean a VLAN other than
VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to
when they are not in use. In this case, the only role that VLAN 1 plays is that of handling
Layer 2 control traffic for the network.
Native VLAN
A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic
coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN
(untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. In the
figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer attached to
a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE
802.1Q specification to maintain backward compatibility with untagged traffic common to
legacy LAN scenarios. For our purposes, a native VLAN serves as a common identifier on
opposing ends of a trunk link. It is a best practice to use a VLAN other than VLAN 1 as the
native VLAN.
Management VLAN
A management VLAN is any VLAN you configure to access the management capabilities of
a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a
unique VLAN to serve as the management VLAN. You assign the management VLAN an IP
address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since
the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see
45
that VLAN 1 would be a bad choice as the management VLAN; you wouldn't want an
arbitrary user connecting to a switch to default to the management VLAN.
46
Implementations
Many kinds of systems implement ACL, or have a historical implementation.
Filesystem ACLs
In the 1990s the ACL and RBAC models were extensively tested and used to administrate
file permissions. A filesystem ACL is a data structure (usually a table) containing entries that
specify individual user or group rights to specific system objects such as programs,
processes, or files. These entries are known as access control entries (ACEs) in
the Microsoft Windows NT,[2] OpenVMS, Unix-like, andMac OS X operating systems. Each
accessible object contains an identifier to its ACL. The privileges or permissions determine
specific access rights, such as whether a user can read from, write to, orexecute an object.
In some implementations, an ACE can control whether or not a user, or group of users, may
alter the ACL on an object.
Most of the Unix and Unix-like operating systems (e.g. Linux,[3] BSD, or Solaris) support
POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for
example AIX,FreeBSD,[4] Mac OS X beginning with version 10.4 ("Tiger"),
or Solaris with ZFS filesystem,[5] support NFSv4 ACLs, which are part of the NFSv4
standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4
ACLs support for Ext3 filesystem[6] and recent Richacls,[7] which brings NFSv4 ACLs support
for Ext4 filesystem.
Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches), an
Access Control List refers to rules that are applied to port numbers or IP Addresses that are
available on a host or other layer 3, each with a list of hosts and/or networks permitted to
use the service. Although it is additionally possible to configure Access Control Lists based
on network domain names, this is generally a questionable idea because individual TCP,
47
UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing
the Access Control List must separately resolve names to numeric addresses. This presents
an additional attack surface for an attacker who is seeking to compromise security of the
system which the Access Control List is protecting. Both individual servers as well
as routers can have network ACLs. Access control lists can generally be configured to
control both inbound and outbound traffic, and in this context they are similar to firewalls.
Like Firewalls, ACLs are subject to security regulations and standards such as PCI DSS.
SQL implementations
ACL algorithms have been ported to SQL and relational database systems. Many "modern"
(2000's and 2010's) SQL based systems, like Enterprise resource planning and Content
management systems, have used ACL model in their administration modules.
48
AIM : - Construct a small corporate network connected through WAN. In each corporate
office there should be separate network for employee users and guest users. Each office
should have its own server providing facilities of FTP, web and DNS .BUT guest users
should not be able to use the Web facility.
Solution:
First we will configure LAN 1 and on the similar grounds we can easily configure other 2(or
as many networks we want) LANs.
In LAN 1:Steps for configuring Switch 0
Here we will create a vlan for interacting with the wireless router (Linksys WRT300N),which
will further communicate with guest users.(through fa0/2)
Also will configure fa0/3 port of switch to trunk mode so that the two switches can
communicate with each other.
Switch#conf t
Switch(config)#interf fa0/3
Switch(config-if)#switchport mode trunk
Switch(config-if)#exit
Switch(config)#interface fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#exit
Switch(config)#vlan 2
49
Switch(config-vlan)#interface fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#exit
Also we need to configure fa0/1 port connected to router to trunk mode ,so that when we
configure router for inter-vlan routing, the vlans communicate properly within as well as
outside the (private)network.
Switch>en
Switch#conf t
Switch(config)#interf fa0/1
Switch(config-if)#switchport mode trunk
50
Router(config-subif)#ex
Router(config)#interf fa0/0.2
Router(config-subif)#encapsulation dot1q 2
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#ex
Router(config)#interf fa0/0
Router(config-if)#no shutdown
Router(config-if)#ex
Steps for configuring Wireless Router 0
Here we configure the wireless router to communicate with router 0,via switch 0, so that it
may further pass the data to wirelessly connected guest users.
Here we will configure the internet port connected to fa0/2 port of Switch 0 with
ip address : 20.0.0.12
subnet mask : 255.0.0.0
gateway : 20.0.0.1
The LAN port will be automatically allocated with class C private ip ,we need not to modify
that.
The host laptops should be attached with WAN card so that they may receive the signals of
the wireless router. With the help of DHCP setting these host laptops will automatically be
configured to a class C private ip.(If we want we can even configure them to static ips.)
Steps for configuring the Server 0
51
In the Global Settings section assign
Gateway : 40.0.0.2
DNS Server : 40.0.0.1
Switch on the HTTP/HTTPS mode of the server.
In the DNS section add the name of website and its address.
Name : www.abc.com address: 40.0.0.1
(we can add as many websites as we require.)
In the FTP section, set the username and password for the host machines.
Username : cisco
Password: cisco
Steps for RE- configuring Router 0 (for communicating with Server 0 and Frame-relay)
//for configuring fa0/1 to communicate the data of server .
Router#conf t
Router(config)#inter fa0/1
Router(config-if)#ip address 40.0.0.1 255.0.0.0
Router(config-if)#no shutdown
52
Router(config-if)#ex
//for configuring router to communicate to cloud via s0/1/0
Router(config)#interf s0/1/0
Router(config-if)#encapsulation frame-relay
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0, changed state to up
Router(config-if)#ex
Router(config)#access-list 10 permit any
Router(config)#ip nat inside source list 10 interface s0/1/0 overload
Router(config)#interf fa0/0.1
Router(config-subif)#ip nat inside
Router(config-subif)#interf fa0/0.2
Router(config-subif)#ip nat inside
Router(config-subif)#interf s0/1/0
Router(config-if)#ip nat outside
Router(config-if)#
Router(config-if)#end
Router#
Router#configure terminal
53
Router(config)#interface Serial0/1/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#ex
Router(config)#router ospf 100
Router(config-router)#network 10.0.0.0 0.255.255.255 area 0
Router(config-router)#network 20.0.0.0 0.255.255.255 area 0
Router(config-router)#network 40.0.0.0 0.255.255.255 area 0
Router(config-router)#network 50.0.0.0 0.255.255.255 area 0
Router(config-router)#ex
Router(config)#ex
Now when we will check on the PCs of inner LAN, they will be able to ping other routers
connected to the cloud thereby confirming the WAN connection.
Now here all the inner host machines ,on both VLANs , are able to access all the services of
the server in the LAN .i.e. http, ftp and dns.
As we want that the guest nework (having wireless connecion among them) should not be
able to use the FTP facility of the server ,so we need to apply dynamic ACL on the guest
network existing on vlan 2.
Router(config)#access-list 101 deny tcp 20.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 eq
ftp
Router(config)#access-list 101 permit ip any any
Router(config)#interf fa0/0.2
Router(config-subif)#ip access-group 101 in
54
Router(config-subif)#
Router(config-subif)#ex
After executing these commands ,we will achieve the above said target.
By following the above written commands we will form a single LAN connection, having its
own private server, which is ABLE to communicate to other LANs with the help of
WAN(frame-relay).
We need to follow similar steps on routers and switches of other LANs, in order configure
them to communicate among themselves as well as with other LANs via cloud.
We can use same private ips inside a LAN(LAN1 and LAN2) or we can use any other public
ip (LAN3) as per our convenience and requirement, but we have take for the same while
entering the commands for them on devices in network.
NOTE: Take extreme care while applying NAT and ACLs on the routers.
55
Then go to the Frame Relay section and map the DLCIs with each other properly ,such that
the routers connected to these serial ports communicate with each other.
102 <->201
103<->301
203<->302
Now our corporate WAN network is READY!!
56